A critical vulnerability (CVE-2025-3464) was discovered in ASUS Armoury Crate, a popular system management tool for ASUS Windows PCs. This flaw allows attackers with local access to escalate privileges and gain full administrative (SYSTEM) control over the affected machine.
Technical Details
The vulnerability involves local privilege escalation via kernel driver (AsIO3.sys) authorization bypass. It is rated High (CVSS score 8.8/10) and impacts Armoury Crate versions 5.9.9.0 through 6.1.18.0.
How the Exploit Works
The driver authorizes requests based on a hardcoded SHA-256 hash of the AsusCertService.exe file and a process ID allowlist, rather than using robust OS-level access controls. An attacker can exploit a race condition (Time-of-check Time-of-use, TOCTOU) by creating a hard link from a benign application to a fake executable. After launching and pausing the app, the attacker swaps the link to point to AsusCertService.exe. When the driver checks the hash, it sees the trusted binary and grants access, allowing the attacker’s code to interact with the driver and escalate privileges to SYSTEM. This provides direct access to physical memory, I/O ports, and model-specific registers, enabling full OS compromise.
Armoury Crate is the official system control software for Windows from ASUS, providing a centralized interface to control RGB lighting (Aura Sync), adjust fan curves, manage performance profiles and ASUS peripherals, as well as download drivers and firmware updates.
